Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:44 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Thu Nov 06, 2014 4:06 pm 
Offline

Joined: Thu Oct 30, 2014 11:17 pm
Posts: 1
I am trying to use the yubico-piv-tool-0.1.0-win64.zip distribution of yubico-piv-tool to import an existing private key / certificate pair in PKCS12 format using the following command

Code:
./yubico-piv-tool -v -s 9c -i certificate.p12 -K PKCS12 -p password -a set-chuid -a import-key -a import-cert


but I keep getting the following:

Code:
Successfully set new CHUID.
using reader 'Yubico Yubikey NEO OTP+CCID 0' matching 'Yubikey'.
Successful applet authentication.
Now processing for action 7.
Setting the GUID to: 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08 42 10 84 21 38 42 10 c3 f5 34 8c aa e0 79 67 a6 08 2f dd aa c2 db 94 4e 9e 3f 00 35 08 32 30 33 30 30 31 30 31 3e 00 fe 00
Now processing for action 5.
Failed import command with code 6f00.


Can anyone tell me what this code implies or what I might be doing wrong? If I remove the
Code:
-a import-key
it imports the certificate without error, but I need both. Thanks.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Nov 11, 2014 8:32 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Unfortunately I don't think the new release fixes this issue, the "6f 00" return indicates a problem with the applet.

Would you be able to send me an example pkcs12 file that exhibits this problem? at klas@yubico.com

What type is the private key inside the pkcs12? rsa-2048?

What version is the applet you're running with? can be extracted with -a version to yubico-piv-tool.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 11, 2014 8:44 pm 
Offline

Joined: Mon Jan 06, 2014 3:53 pm
Posts: 3
I tried this with my shiny new YubiKey NEO on my Mac and got pretty much the same result. Unlike DeezCashews I didn't use "-a set-chuid" but that didn’t change the outcome:

Code:
yubico-piv-tool -s 9c -i my_ca.p12 -K PKCS12 -p password -a import-key -a import-cert -v5


Which resulted in: (Yes, I cranked up the verbosity in the hope of some helpful output for the developers)

Code:
using reader 'Yubico Yubikey NEO CCID' matching 'Yubikey'.
> 00 a4 04 00 05 a0 00 00 03 08
< 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00
> 00 87 03 9b 04 7c 02 80 00
< 7c 0a 80 08 8a 80 f9 6e 00 db 58 2c 90 00
> 00 87 03 9b 16 7c 14 80 08 b0 fe 9a fc a5 a9 4a 96 81 08 33 84 0f e9 43 a5 ec d2
< 7c 0a 82 08 29 b3 71 c5 dc 91 41 bb 90 00
Successful applet authentication.
Now processing for action 5.
Going to send 255 bytes in this go.
> 10 fe 07 9c ff 01 81 80 f0 9f b9 42 5a 64 76 0f f4 f5 0e c6 0b f4 23 f2 70 57 ba b8 d3 19 ad b1 3c 96 a7 17 1d 48 4e eb fd 92 5e 5a 2f 1e 64 9c fb 70 a8 3b 85 1d 31 c8 2f ad fa bd 66 4b 05 d8 7a ec 2b a3 46 42 7b fd e1 c4 28 da df 97 ea 0b aa 85 fc 7d 35 3d a4 95 07 9f fc d2 5c 3b 35 2b e5 e9 df c0 a6 7f 33 49 04 56 f0 78 3e b1 c1 73 5a b1 5b c6 21 ec 37 98 80 dd 93 8c 25 b4 8f 5c 47 0d 3a c8 59 77 d2 ed 02 81 80 c5 27 78 d1 d6 21 67 f1 3c 76 b3 ba 34 b3 42 25 8f ab d0 96 bd 38 9c 17 40 4e d7 66 75 d5 6a f9 b6 3d 99 ba 93 a3 0f 71 8f 84 d5 d1 b0 19 8a a7 a1 60 b0 56 07 c9 7c 13 79 14 ed 25 ee 3c cf 8a 5b 4d 14 d4 61 ca 42 51 d1 cd 8a ed a3 a8 1f 80 55 9f 29 01 b5 f6 55 d5 12 41 f6 0d 55 53 19 47 61 40 8b fe 35 61 21 c7 4f 70 60 b9 4f 66 0c ca ce 0b d2 9a 16 80 57 f9 ee
< 90 00
Going to send 255 bytes in this go.
> 10 fe 07 9c ff 07 25 4a ac 35 f9 b1 03 81 80 ef 33 f9 39 0b 1f 1f 76 d1 6e e3 d6 e1 7f 3c 55 00 75 55 fb f2 6f 6e 89 e8 cf 63 1f c9 4e 5e 96 9f 27 68 80 82 a2 d6 26 70 97 17 c6 c3 97 b8 2b 67 aa ae be a5 f8 22 c1 87 c1 4b c8 2e 4a 5d 74 8f 81 2f 94 15 fe b0 fe 13 f0 ca 85 b5 ed a7 b5 37 35 46 61 e0 aa 43 3b 76 7d be 9f 87 64 a0 19 10 25 55 3c 54 26 e5 46 c5 7b d6 dd ea 4f 27 1d 85 cd bf a5 ec bd c8 5e 55 8b c3 49 f4 16 f8 29 04 7f 3d 9c 18 25 7a c4 f5 b6 6d 2e aa fb 85 7c 7f 2f 3d b6 73 78 a7 a9 09 1e 3a fa 68 55 9c 7d 14 f0 f4 02 4c 08 02 1a f2 b8 8a 20 f8 b0 8e 57 6c fc f5 71 41 a9 a0 c5 56 00 bf d5 ca 46 10 2c f0 ae 4b d9 ca a8 93 e6 a0 d2 f0 bd 4a ac f8 77 91 60 89 61 33 6f 55 6d a5 64 f0 4f ac 94 7e 15 79 d0 d4 93 57 2c 19 82 41 0c 07 c7 16 72 d2 5d 11 a2 4e c1 63
< 90 00
Going to send 143 bytes in this go.
> 00 fe 07 9c 8f 0e c3 f9 57 84 c2 dd 78 c9 dd 07 01 05 81 80 ae 27 3b a1 8d f3 34 4f e9 50 d3 e9 16 b0 b5 94 de 3e 14 93 3f d3 d8 99 16 55 29 5f 6d d0 5e b0 d7 87 04 59 86 88 e6 de fc 47 7e 1c 77 16 4e f3 50 48 4b f4 a0 e1 34 4a b9 ed b8 69 ab 73 a8 0b 18 0e 89 18 a8 4b 7d a6 9f b2 20 d3 44 9d 9a 0a 6f dc 2c 65 69 ef c5 3d c7 38 66 46 fe 67 be df 8e 71 42 c7 1d e4 2f 7c 6c 6e 34 4a df 1c 51 e2 af c5 47 1c 1e 6b a7 a0 8d 86 78 45 40 00 fb 0c
< 6f 00
Failed import command with code 6f00.


The PIV applet installed on my NEO has version 0.1.2. The private key is RSA-2048.


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 12, 2014 10:32 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Very interesting (and as a note, the verbose data at that level contains your private key..)

What seems to be happening here is that parameter 4 (dq1) is one byte to short and needs to have a 0 byte added first to be acceptable to the card. It'd be interesting to get a key that looks like this, could you email the PKCS12 you used to me at klas@yubico.com ?

I'll see if I can add some code that makes sense that fixes this.

/klas

EDIT: There is now a potential fix for this issue pushed for the tool to github: https://github.com/Yubico/yubico-piv-to ... fff1709d29 it'd be great if someone could test this and report back..


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 12, 2014 8:19 pm 
Offline

Joined: Mon Jan 06, 2014 3:53 pm
Posts: 3
I don’t mind the private key being visible. It's just my own CA I created. I can restart from scratch. ;)

Anyway, the latest change from Klas seems to have fixed it. I was able to successfully import a new private key and certificate. Are you still interested to see that PKCS12?


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 13, 2014 9:16 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Good, so with that commit it works for you, then I don't need the PKCS12 any more, managed to create keys like that myself.

I'll try to cut a release of this today or tomorrow.

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group